-
Notifications
You must be signed in to change notification settings - Fork 25k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
RPM verification failure on RHEL 8 in FIPS mode #58257
Comments
Pinging @elastic/es-core-infra (:Core/Infra/Packaging) |
The elasticsearch rpm package does not yet have a sha256 header, just sha1 and md5. Unfortunately I don't think we will be able to add this anytime soon. We use the Nebula ospackage gradle plugin to build our rpm, which does not yet have support for the sha256 header. I also looked at Redline, the library ospackage is built on top of, but that also does not have support. It might be possible to insert a custom header in Redline, but the redline builder needed for this is hidden within ospackage and not exposed. So, short of completely changing the infrastructure we build our rpms on, I don't see a way to add the necessary sha256 that RHEL 8 with FIPS is requiring. |
This is a huge issue for DoD. Manual installation of RPMs across large clusters is going back 10 years in technology. Bypassing file integrity checks does not bode well. This affects every RPM package that Elastic publishes and as more people move to RHEL 8, it will become more and more of a problem. |
The team discussed this today and will work on getting support added for SHA256 to redline and then see about ospackage moving to that version of redline. Separately we will ensure we have packaging tests that will run in an environment with FIPS/OSPP enabled. |
Any update on these issues? |
Just wanted to drop a +1 for this. Hoping to see this implemented. |
We're also needing this implemented. |
@jaymode any update on this? Once this is available in redline I might be able to look into providing a patch to ospackage |
A small heads up. I've just raised a Pull Request on the redline library that ES is using to build RPMs that adds sha256 header support. see craigwblake/redline#157 I'll work on a temporally solution to get these changes into the ES build until this PR gets merged and ends up in a released version of redline. |
I've created a PR that brings the changes in redline I've added to our elasticsearch build (see #75569). Now when verifying signatures of the rpm we see
|
This adds support for Sha256 header signature in our RPMs by updating the dependency to the readline library to a version we have patched until the provided PR (craigwblake/redline#157) got merged and released by the redline folks. This work is related to elastic#58257
This adds support for Sha256 header signature in our RPMs by updating the dependency to the readline library to a version we have patched until the provided PR (craigwblake/redline#157) got merged and released by the redline folks. This work is related to #58257
It seems just adding the sha256header is not enough to get our RPMs working in FIPS environments. I spun up a centos8 tips enabled ci machine and test out rpm installation there with the latest tweaks:
I think its complaining about missing MD5 digests and Payload SHA256 digest. I'll take some time to look into this. The md5 checksums should be there but I assume we see a problem that the digest is stored in outdated RPM tags |
We applied further changes to the redline library we use in elasticsearch to make our RPM packages FIPS compliant: #75569 With this change I was able to install our nightly ES rpm (https://snapshots.elastic.co/8.0.0-36034684/downloads/elasticsearch/elasticsearch-8.0.0-SNAPSHOT-x86_64.rpm) in a centos-8 tips enabled environment:
|
Do we have the infrastructure to setup a RHEL 8 in FIPS mode to test this against RHEL 8 and not just on CENTOS 8? |
I'd be more than happy to test it on a RHEL system. |
Thanks @breskeby! We are working to perform tests in a RHEL8 FIPS environment too. |
This adds support for Sha256 header signature in our RPMs by updating the dependency to the readline library to a version we have patched until the provided PR (craigwblake/redline#157) got merged and released by the redline folks. This work is related to elastic#58257
Sorry for the pile-on here, but we hit this today trying to deploy elasticsearch 7.14 RPMs on our FIPS-enabled RHEL 8 systems. Great to see the progress on the 8.0 builds, when can we expect these fixes on the 7.x RPM packages? |
@chuckmilam the changes to the RPM package for FIPS compatibility will be available in the upcoming 7.15 release which will drop shortly. |
@mark-vieira Should I be concerned this issue isn't listed in the 7.15 release notes? |
Sorry, not sure why it slipped through the release notes but it should have been mentioned there. This is actually the PR of note: #76440 |
Excellent! Thank you. Now standing by for the new RPM builds to appear in the Elastic repos. How often does that packaging build pipeline run? |
We're having some trouble with the YUM repos at the moment, but you can grab the updated RPMs directly here: https://www.elastic.co/guide/en/elasticsearch/reference/current/rpm.html#install-rpm |
Thanks! I will test with these, but we need the YUM repos as part of our automation. We're using the elastic/ansible-elasticsearch Ansible roles wherever we can. |
Confirming a locally-downloaded elasticsearch-7.15.0-x86_64.rpm installed without complaint on a STIG and FIPS-compliant RHEL 8 system, where the v.7.14.2 RPM would not. Looks like we have a winner. Thanks, Elastic team. Looking forward to the Yum repo updates. |
Great to hear @chuckmilam. The team is working on the YUM repo as we speak. |
@chuckmilam the Elasticsearch YUM repos are now up to date so you should be able to pull from there now: https://www.elastic.co/guide/en/elasticsearch/reference/current/rpm.html |
Looking good here! Thanks. |
@chuckmilam thanks for the feedback and testing. highly appreciated |
Looks like due to this : https://bugzilla.redhat.com/show_bug.cgi?id=1728031
I am unable to install elasticsearch from the repository as it warns : package elasticsearch-0:7.7.1-1.x86_64 does not verify: no digest.
Running RHEL 8.2
The text was updated successfully, but these errors were encountered: